Disable (turn off) FileVault Via Policy/Script

milesleacy
Valued Contributor

Before reinventing the wheel, I'd like to ping the community to see if anyone has already done this...

I need to turn off FileVault on select Macs. fdesetup has a "disable" verb, but it asks for a password/recovery key interactively.

Before I put on my R&D hat and dig in, has anyone already tackled scripting this process?

Thanks!

(screenshot of fdesetup disable process attached)6dc1bc60d73547dd90edfeda9081faea

9 REPLIES 9

milesleacy
Valued Contributor

bkramps
New Contributor III

@milesleacy if these Macs have a common Admin account that is a FV User and you know the password, it can be scripted.

#!/bin/sh
echo '<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>Password</key>
  <string>AdminPassword</string>
  </dict>
  </plist>' > /Users/Shared/filevault.plist 
  fdesetup disable -inputplist < /Users/Shared/filevault.plist
  rm /Users/Shared/filevault.plist

If you do not have access to a FV enabled User's password or the Recovery Key, it would be difficult to script w/o user interaction.

milesleacy
Valued Contributor

Great! Thanks @bkramps . That script is exactly what I was hoping to avoid building from scratch.

Delivering this feature request would make it easier...
Add ability to report on FV2 Recovery Keys (and/or access them via API)
Although, it's really just a halfway point to delivering my feature request above.

JasonkMiller
New Contributor

@milesleacy Hey Miles,

Want to also point out @rtrouton work with fdesetup. https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/

It talks about disabling and enabling fdesetup in detail.

milesleacy
Valued Contributor

Thanks @JasonkMiller ! I'm well familiar with @rtrouton 's fine FileVault write-ups and enthusiastically recommend them to anyone who needs to know how Apple's encryption system works.

rtrouton
Release Candidate Programs Tester

Funnily enough, I had a request during my CCA class from one of my classmates for a script which disabled encryption via Self Service. I wrote this post and associated expect script in response:

https://derflounder.wordpress.com/2014/03/22/disabling-filevault-2-with-fdesetup-on-mountain-lion-an...

milesleacy
Valued Contributor

@rtrouton Nifty, but the goal is to have the JSS provide the recovery key, since it's already stored there. User interaction is a show stopper.

modifying @bkramps solution to feed the xml with an API call would be nice, but that comes back to the other, as-yet undelivered, feature request.

It seems that with currently-available tools, disabling FileVault without user interaction is not an option.

Well, at least not in a supportable workflow...

mm13
New Contributor II

Curious of there has been any progress made on this front...

macninja_IO
New Contributor III

I made som minor changes to the plist.
This works for me

#!/bin/bash
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
        <dict>
                <key>Username</key>
                <string>AdminUser</string>
                <key>Password</key>
                <string>AdminPassword</string>
        </dict>
</plist>' > /tmp/filevault.plist
fdesetup disable -inputplist < /tmp/filevault.plist
rm /tmp/filevault.plist